A General Assembly United Nations Human Rights Council

advertisement
A/HRC/28/39
United Nations
General Assembly
Distr.: General
19 December 2014
Original: English
Human Rights Council
Twenty-eighth session
Agenda items 2 and 3
Annual report of the United Nations High Commissioner
for Human Rights and reports of the Office of the
High Commissioner and the Secretary-General
Promotion and protection of all human rights, civil,
political, economic, social and cultural rights,
including the right to development
Summary of the Human Rights Council panel discussion on
the right to privacy in the digital age
Report of the Office of the United Nations High Commissioner for
Human Rights
Summary
The present report is submitted pursuant to Human Rights Council decision 25/117.
It provides a summary of the panel discussion on the right to privacy in the digital age, held
on 12 September 2014, during the twenty-seventh session of the Human Rights Council.
Based on the request of the Human Rights Council, the promotion and protection of the
right to privacy in the digital age in the context of domestic and extraterritorial surveillance,
the interception of digital communications and the collection of personal data, including on
a mass scale, also with a view to identifying challenges and best practices, taking into
account the report of the United Nations High Commissioner for Human Rights, were
examined in the course of the panel discussion.
GE.14-24708 (E)

A/HRC/28/39
Contents
Page
I.
Introduction .............................................................................................................
1–4
3
II.
Opening statement by the United Nations Deputy High Commissioner for
Human Rights..........................................................................................................
5–16
3
III.
Contributions of panellists ......................................................................................
17–29
5
IV.
Summary of the discussion .....................................................................................
30–57
9
A.
General remarks on the right to privacy in the digital age ..............................
32–42
10
B.
Legal protection of the right to privacy ..........................................................
43–52
11
C.
Specific issues regarding business entities......................................................
53–55
14
D.
Way forward ...................................................................................................
56–57
15
Conclusions .............................................................................................................
58–61
16
V.
2
Paragraphs
A/HRC/28/39
I. Introduction
1.
Pursuant to its decision 25/117, the Human Rights Council held a panel discussion
on the right to privacy in the digital age on 12 September 2014. The discussion took
account of the issues raised in the report of the United Nations High Commissioner for
Human Rights submitted to the Human Rights Council at its twenty-seventh session
(A/HRC/27/37).
2.
Based on the request of the Human Rights Council, the promotion and protection of
the right to privacy in the digital age in the context of domestic and extraterritorial
surveillance, the interception of digital communications and the collection of personal data,
including on a mass scale, also with a view to identifying challenges and best practices,
taking into account the report of the High Commissioner for Human Rights, were examined
in the course of the panel discussion.
3.
The panel discussion was chaired by the President of the Human Rights Council,
and moderated by Marko Milanovic, Associate Professor at Nottingham University. The
United Nations Deputy High Commissioner for Human Rights gave an opening address.
The panellists were Catalina Botero, Special Rapporteur on freedom of expression, InterAmerican Commission on Human Rights, Sarah Cleveland, Louis Henkin Professor of
Human and Constitutional Rights, Columbia Law School, Yves Nissim, Deputy Chief
Corporate Social Responsibility Officer, Orange, former Chair of the Telecommunications
Industry Dialogue, and Carly Nyst, Legal Director, Privacy International.
4.
In its decision 25/117, the Council requested the Office of the High Commissioner
to present a summary report of the panel discussion at its twenty-eighth session. The
present report is submitted pursuant to that request.
II. Opening statement by the United Nations Deputy High
Commissioner for Human Rights
5.
The Deputy High Commissioner noted that, in a very short space of time, digital
communications technologies had revolutionized the way human beings interact and that
for millions of people, the digital age was one of emancipation – perhaps the greatest
liberation movement the world had ever known. She noted as an example that over one
million people had participated electronically in the open dialogue and consultation that
was conducted to develop a framework for the post-2015 sustainable development goals,
which called for the full inclusion of human rights. She emphasized that human rights
defenders, activists, democratic voices, minorities and others could now communicate via
digital platforms and participate in the global debate in ways that were previously
inconceivable.
6.
The Deputy High Commissioner also noted that those digital platforms were
vulnerable to surveillance, interception and data collection. Deep concerns had been
expressed, as policies and practices that exploited that vulnerability had been exposed
across the globe. She added that surveillance practices could have a very real impact on
peoples’ human rights, including their rights to privacy to freedom of expression and
opinion, to freedom of assembly, to family life and to health. In particular, information
collected through digital surveillance had been used to target dissidents and there were
credible reports suggesting that digital technologies had been used to gather information
that led to torture and other forms of ill-treatment.
3
A/HRC/28/39
7.
The Deputy High Commissioner recalled that in resolution 68/167, the General
Assembly had requested the High Commissioner to submit a report on “the protection and
promotion of the right to privacy in the context of domestic and extraterritorial surveillance
and/or the interception of digital communications and the collection of personal data,
including on a mass scale”, which was presented to the Human Rights Council at its
twenty-seventh session. The report built on expert consultations and in-depth research
regarding existing national and international legislation and jurisprudence, and information
from a broad range of sources, including replies to a questionnaire sent out to stakeholders.
8.
As the report made clear, international human rights law provided a robust and
universal framework for the promotion and protection of the right to privacy, including in
the context of domestic and extraterritorial surveillance; the interception of digital
communications; and the collection of personal data. However, practices in many States
revealed a lack of adequate national legislation and enforcement, weak procedural
safeguards and ineffective oversight, which contributed to widespread impunity for
arbitrary or unlawful interference with the right to privacy.
9.
The Deputy High Commissioner recalled that the High Commissioner’s report
examined the protection afforded by international human rights law regarding privacy,
including the meaning of “interference with privacy” in online communications; the
definition of “arbitrary and unlawful” interference in that context; and the question of
whose rights were protected, and where. For instance, on the question of what constituted
privacy interference, it was clear that the aggregation of communications data might give a
comprehensive insight into an individual’s behaviour, social relationships, private
preferences and identity, extending even beyond the information obtained by reading
someone’s mail. The collection and retention of communications data might therefore
constitute an interference with privacy, whether or not those data were subsequently
consulted or used. The very existence of a mass surveillance programme regarding email
communication and other forms of digital expression created an interference with privacy,
and the onus was on the State to demonstrate that such interference was neither unlawful
nor arbitrary.
10.
Turning to “arbitrary” or “unlawful” interference with privacy, the report noted that
State surveillance of electronic communications data might be a legitimate law enforcement
measure, if it was conducted in compliance with the law. But States must demonstrate that
the surveillance was both necessary and proportionate to the specific risk being addressed.
Mandatory third-party data retention – whereby telephone companies and Internet service
providers were required to store metadata about communications by their customers, for
subsequent access by law enforcement and intelligence agencies – appeared neither
necessary nor proportionate.
11.
As stressed in the report, the Deputy High Commissioner recalled that States had an
obligation to ensure that the privacy of individuals was protected by law against unlawful
or arbitrary interference. All forms of communications surveillance must be conducted on
the basis of publicly accessible law; and that law must in turn comply with the
constitutional regime of the State concerned and international human rights law. Secret
rules and secret interpretations of the law – even if issued by judges – were not compatible
with the principle that laws should be clear and accessible. Neither were laws or rules that
gave excessive discretion to executive authorities, such as the security and intelligence
services.
12.
The Deputy High Commissioner also mentioned the concerns raised in the report
regarding extraterritorial surveillance and the interception of digital communications.
Drawing on the work of the Human Rights Committee and the International Court of
Justice regarding the determination of when a State exercises jurisdiction, the report noted
that the human rights obligations of a State were engaged whenever it exercised power or
4
A/HRC/28/39
effective control. If surveillance involved the exercise of power or effective control by a
State in relation to digital communications infrastructure, then wherever it might be taking
place, that surveillance might engage the human rights obligations of the State. That would
include, for example, direct tapping or penetration of a communications infrastructure and
exercise by the State of regulatory jurisdiction over a third party which physically
controlled the data.
13.
The report recalled that international human rights law was also explicit on the
principle of non-discrimination and that States must take measures to ensure that any
interference with the right to privacy complied with the principles of legality,
proportionality and necessity, regardless of the ethnicity, nationality, location or other
status of the people whose communications it was monitoring.
14.
The report also referred to the essential nature of procedural safeguards and effective
oversight to safeguard the right to privacy in law and in practice. A lack of effective
oversight had contributed to impunity for arbitrary or unlawful intrusions on the right to
privacy in the digital environment. Internal safeguards devoid of independent oversight had
been demonstrably ineffective against unlawful or arbitrary surveillance methods.
Appropriate safeguards must include independent civilian oversight and participation from
all branches of Government, in order to ensure the effective protection of the law. States
also had a legal obligation to provide effective remedies for violations of privacy through
digital surveillance, in judicial, legislative or administrative forms, with procedures that
were known and accessible.
15.
Finally, the Deputy High Commissioner referred to the role of the private sector, an
issue also addressed in the report of the High Commissioner. Governments increasingly
relied on corporations to conduct and facilitate digital surveillance. In some cases there
might be legitimate reasons for a company to provide user data. But when the request was
in violation of human rights law, or where the information was used in violation of human
rights law, that company risked being complicit in human rights abuses. The Guiding
Principles on Business and Human Rights, endorsed by the Human Rights Council in
resolution 17/4 of 16 June 2011, provided a global standard for preventing and addressing
adverse the human rights effects of business activity. They made clear that the
responsibility to protect human rights applied throughout a company’s global operations,
regardless of where its users were located, and independently of whether a State met its
own human rights obligations. Many corporations appeared to be insufficiently aware of
those issues.
16.
The Deputy High Commissioner concluded by noting that the lack of government
transparency regarding the measures that they had adopted that might impact on the right to
privacy, often rendered attempts to address the gaps and exercise accountability extremely
arduous. She concluded that there was a clear need for further discussion and in-depth
analysis as information regarding those measures became public.
III. Contributions of panellists
17.
In response to questions from the moderator, the initial remarks of the panellists
focused on issues linked to the international human rights law framework with respect to
the right to privacy, including procedural safeguards, effective oversight and right to a
remedy, as well as the role of the business sector.
18.
The Legal Director at Privacy International highlighted the importance of privacy in
any democratic society and stressed the links between privacy and the concept of human
dignity. She noted that the right to privacy was a fundamental precondition to, and
guarantor of, other rights, as it enabled individuals to independently develop thoughts and
5
A/HRC/28/39
ideas that could be freely expressed, to choose which religion in which to worship and
which political party to support. Ms. Nyst explained that the right to privacy was first
articulated in international law in the Universal Declaration of Human Rights, when the
drafters were clear not only about the necessity of the inclusion of the right to privacy, but
also about the importance of the right to privacy of communications, as shown by the
travaux preparatoires to the Declaration.
19.
Ms. Nyst noted that many common actions done on a daily basis included a
“communication”, such as sending an e-mail or a text message, accessing a bank account,
searching for information on the Internet, or accessing government services. Any digital
communication involved private data travelling around the world, and through the cables of
many private companies, before it reached its destination. The challenge that technology
posed to privacy was to ensure that the obligations of the State to respect, fulfil and protect
the right to privacy and the responsibilities of the private sector were meaningful in the
digital era. She noted that the legal framework already existed, as the right to privacy was
enshrined in most international and regional human rights treaties and in many national
constitutions, and that a new understanding of how those texts applied was needed.
20.
The Special Rapporteur on freedom of expression of the Inter-American
Commission on Human Rights referred to the opportunities for the free expression,
communication and exchange of information created by the Internet. She noted that, at the
same time, the capture, storage, and administration of enormous quantities of data had also
been facilitated. That information, whether content data or metadata, could be highly
revealing of even the most intimate aspects of the private lives of individuals or
communities. She noted that legal frameworks had not followed the pace of technological
developments in the digital era, and stressed the need for regulation of both the collection
and analysis of information, taking into account freedom of expression, the right to privacy
and other relevant human rights.
21.
Ms. Botero further noted that surveillance policies could have an impact on a broad
spectrum of human rights. She referred to the impact of surveillance on the right to freedom
of expression, either directly when the right could not be exercised anonymously as a
consequence of surveillance, or indirectly, because the mere existence of surveillance could
have a chilling effect, instil fear and inhibition and make individuals cautious about what
they said and did. She explained that, because the right to freedom of expression was a
platform right, its violation could also lead to the violation of other rights, including
freedom of association, freedom of assembly, religious freedoms and the right to health.
Because of the potential impact of surveillance activities on the entire human rights
architecture, there was a need for States to revise their laws to establish limits on
surveillance programmes, which should include respect for the principles of necessity and
proportionality, and appropriate monitoring mechanisms. Ms. Botero explained that
because the Internet was a special and unique communications medium that enabled the
free, plural, and democratic exercise of the right to freedom of expression, its governance
was a particularly relevant matter. She noted that in order to make sure that all relevant
points of view could be properly considered, States must ensure the equal participation of
all actors relevant to the governance of the Internet and foster strengthened cooperation
between the authorities, academia, civil society, the scientific and technical communities
and the private sector, both nationally and internationally.
22.
The Louis Henkin Professor of Human and Constitutional Rights at Columbia Law
School stated that all persons, regardless of location or nationality, were protected by
human rights that were universal and inherent to human dignity. She noted that State
surveillance practices sometimes distinguished between citizens and non-citizens. In that
regard, Ms. Cleveland stressed that, as recognized by the Human Rights Committee, the
principle of non-discrimination in article 2 of the International Covenant on Civil and
6
A/HRC/28/39
Political Rights protected citizens and non-citizens alike.1 Consequently, neither citizens
nor non-citizens might be subjected to unlawful or arbitrary interference with their privacy.
She also noted that surveillance was often undertaken by States on their own territory, to
suppress freedom of expression and association, or to punish journalists, dissidents and
other government critics. According to article 17 of the International Covenant on Civil and
Political Rights, States had the obligation to respect and ensure the privacy rights of all
persons within their territory and subject to their jurisdiction.
23.
Ms. Cleveland emphasized that the protections in the International Covenant on
Civil and Political Rights applied to persons otherwise subject to the jurisdiction of a State,
as recognized by the International Court of Justice2 and the Human Rights Committee.3
That was also the reading that best reconciled the text of the International Covenant on
Civil and Political Rights with its content, object and purpose. The Human Rights
Committee had long recognized that a State could not avoid its international human rights
obligations by taking action outside its territory that it would be prohibited from taking at
home. Ms. Cleveland explained that cyber activity transcended territory, that digital
surveillance could involve the minimal exercise of physical control by the State over a
person or territory and could involve action in one location that had an impact upon a
person in another. She stressed that such conduct could engage the human rights obligations
of a State. Lastly, she noted that the fact that privacy rights applied to non-citizens or
nationals abroad did not mean that surveillance activities were per se always unlawful. Any
restriction to the right to privacy to accommodate legitimate national security or law
enforcement interests must be adopted while taking full account of the requirements, as
provided in international human rights law; in particular they must not be arbitrary or
unlawful.
24.
Turning to the role of the private sector, the moderator, Mr. Milanovic, noted that
private companies aggregated data for their own purposes, and might also be co-opted into
governmental schemes. Focussing on the relationship between Governments and private
telecommunication companies, he asked how private companies should react to government
requests. The Deputy Chief Corporate Social Responsibility Officer at Orange noted that
issues relating to various requests that a telecommunication company might receive to
collect or keep data regarding their customers or to make their networks “wiretap-ready”
became more vivid during the Arab Spring. Telecommunication companies had received
requests from Governments – in some cases at gunpoint – that might have had an impact on
the the rights to freedom of expression and privacy of their customers. That had led those
companies to create the Telecommunications Industry Dialogue on Freedom of Expression
and Privacy, to jointly address issues related to freedom of expression and the right to
privacy in the telecommunications sector. 4 The Dialogue had published a set of 10 guiding
principles on 12 March 2013, which were influenced by the Guiding Principles on Business
and Human Rights: implementing the United Nations “Protect, Respect and Remedy”
Framework. The principles published by the Dialogue addressed privacy and freedom of
expression as they related to the telecommunications sector, specifically exploring the
1
2
3
4
See Human Rights Committee, general comment No. 18 (1989) on non-discrimination.
See International Court of Justice, Legal Consequences of the Construction of a Wall in the Occupied
Palestinian Territory, Advisory Opinion, I.C.J. Reports 2004, p. 136., and Armed Activities on the
Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, I.C.J. Reports
2005, p. 168.
See Human Rights Committee, general comment No. 31 (2004) on the nature of the general legal
obligation imposed on States parties to the Covenant.
The Telecommunications Industry Dialogue is currently composed of seven operators and two
vendors. See www.telecomindustrydialogue.org.
7
A/HRC/28/39
interaction and boundaries between the duty of a Government to protect human rights and
the responsibility of telecommunications companies to respect human rights.
25.
In terms of challenges, Mr. Nissim emphasized that telecommunications companies
had many personnel on the ground in various countries and that their safety and security
was an absolute priority, as recognized in the fifth guiding principle.5 He also noted that,
while the companies engaged in the Telecommunications Industry Dialogue wanted to
uphold human rights, in particular freedom of expression and the right to privacy, it was
important to recall that they had licence agreements with Governments and were subject to
national laws and regulations. Because of the need to protect their staff who were present
in-country, companies needed to be able to engage in a dialogue with host Governments
whenever necessary. He noted that there were three pressing issues that needed to be
resolved. First, Governments should not request or be granted direct access to the
telecommunications network. Second, the process through which Governments could make
requests to telecommunications companies must be clear and transparent. Third, while
telecommunications companies were willing to be transparent about the requests they
received, transparency was the responsibility first and foremost of Governments.
26.
Turning to the conditions for the lawful restriction of the right to privacy and
freedom of expression, Ms. Botero explained that any limitation must be established
beforehand by legislation. Such laws must precisely define the causes and conditions that
would enable the State to intercept the communications of individuals, collect
communications data or subject them to surveillance or monitoring that had an impact on
the right to privacy. The law must not be vague or ambiguous, or grant broad discretionary
powers to the executive power in its interpretation. It must also provide safeguards
pertaining to the nature, scope and duration of surveillance measures. Limitations to the
right to privacy must also pursue a legitimate aim. In the case of surveillance, the grounds
most likely to be relied upon by the State were national security and the fight against crime.
Any limitation must be proportionate and strictly necessary. That means that a true and
compelling need to impose the limitation must be clearly established and the objective
could not be accomplished by any other less restrictive measure. In any event, the rights
should be limited only when the risk to the protected interest, narrowly defined, was greater
than the general interest in maintaining the right to privacy and freedom of expression.
Ms. Botero also noted that the test must be stronger when the rights protected dealt with the
most intimate aspects of a person’s private life. In order to ensure the protection of the
principles of legality, proportionality and necessity, decisions to undertake surveillance
activities that limited the right to privacy and other rights should be authorized by
independent judicial authorities.
27.
With regard to proportionality, Ms. Cleveland noted that a measure should be
proportionate to the significance of the interests at stake: the interest of the State in
pursuing the measure and the privacy interest of the individual. She explained that the more
acute the privacy interest of the individual, the more narrowly tailored the measure must be.
She referred to the jurisprudence of the European Court of Human Rights, which provided a
reasonable margin of appreciation to States, especially in the national security area, to
determine on a case-by-case basis what measures were necessary and proportionate to the
achievement of a particular State interest. Ms. Cleveland also noted the importance of the
procedural safeguards put in place by the State to ensure that the surveillance regime was
being applied properly. She noted that there needed to be legal safeguards to define the
5
8
Principle 5 states “Always seek to ensure the safety and liberty of company personnel who may be
placed at risk”.
A/HRC/28/39
regime, as well as oversight and remedies ex post facto to make sure that the regime was
not abused.
28.
Mr. Milanovic noted that States often made a distinction between the collection of
the content of a communication, on the one hand, and data about the communication, or
metadata, on the other, with the former subject to stronger safeguards than the latter. He
asked whether such distinctions were relevant regarding digital communications. Ms. Nyst
noted that such distinctions must be unequivocally abandoned, as they reflected an outdated
understanding of the nature of today’s communications and a failure to update laws
accordingly. She noted that such distinctions dated back to an era where there was indeed a
difference between the envelope and the content of the envelope, whereas when looking at
digital communications, the so-called envelope, or metadata, contained very sensitive,
valuable and extensive information. For instance, that information could be derived from
the metadata and analysed to obtain information about an individual’s political or religious
beliefs. She referred to a study by Stanford University, which showed that medical,
financial and legal information could be obtained from metadata. She stressed the serious
need, therefore, to re-evaluate that distinction, as noted in the report of the High
Commissioner. Ms. Nyst noted progress in several countries, which had recognized the
need for increased protection of metadata. She also noted that the European Court of Justice
had recently invalidated the blanket data retention law6 and concluded that there was a trend
towards increased protection of metadata. However, Ms. Nyst stressed that further guidance
on how domestic laws should follow suit was needed.
29.
From an operator’s perspective, Mr. Nissim said that data such as tracking calls was
often retained by telecommunications companies for technical reasons, to ensure the quality
of services and networks. He noted, however, that when Governments asked
telecommunications companies to retain the information collected for longer periods of
time, or to provide access, the information could be misused. He added that any access by
Governments should require legislation. Mr. Nissim also noted that where the level of “big
data” was reached, and if the information was anonymized, it could be used in a very
positive way, e.g. for urban planning, transportation and communications.
IV. Summary of the discussion
30.
During the interactive discussion, delegations from Algeria, Australia, Belgium,
Canada, China, Cuba (on behalf of the like-minded group of countries), Ecuador, the
European Union, Estonia, France, Germany (on behalf of Austria, Brazil, Germany,
Liechtenstein, Mexico, the Netherlands, Norway and Switzerland), India, Indonesia,
Ireland, Italy, Malaysia, Pakistan (on behalf of the Organization of Islamic Cooperation),
Romania, the Russian Federation, Sierra Leone, Slovenia, the United Arab Emirates, the
United Kingdom of Great Britain and Northern Ireland, the United States of America, the
Bolivarian Republic of Venezuela and the United Nations Educational, Scientific and
Cultural Organization (UNESCO) took the floor. Statements by Chile, Myanmar and
Uruguay were not delivered due to lack of time. Copies of their statements were posted on
the Human Rights Council extranet.
31.
Delegates of the following non-governmental organizations also took the floor: the
American Civil Liberties Union (in a joint statement with Human Rights Watch),
Article 19, the Association for Progressive Communications and the Korea Center for
United Nations Human Rights Policy.
6
See European Court of Justice, judgement of 8 April 2014, joined cases C-293/12 and C-594/12.
9
A/HRC/28/39
A.
General remarks on the right to privacy in the digital age
32.
Many delegations highlighted the quality of the report submitted by the High
Commissioner on the right to privacy in the digital age and the fact that it was an important
milestone in the context of the ongoing discussion. Many delegations also noted their
appreciation for the work of the Office of the United Nations High Commissioner for
Human Rights (OHCHR) and others in ensuring that the right to privacy was safeguarded
in law and in practice.
33.
Many delegations welcomed the panel discussion, as the topic was timely and the
discussion necessary, bearing in mind that technological advances ran ahead of an
understanding of their human rights implications. The importance of discussions held on
the issue by the Human Rights Council, as well as in other forums, such as the Internet
Governance Forum, was also noted.
34.
One delegation noted that there were close to 3 billion Internet users around the
world and that a free and secure Internet had become a priority for people everywhere. As
foreseen in the post-2015 sustainable development goals and the Programme of Action for
the Least Developed Countries for the Decade 2011–2020 (A/CONF.219/3/Rev.1),
everyone should have access to the Internet by 2020.
35.
Most interventions indicated, as already highlighted in the report of the United
Nations High Commissioner, that innovations in technology had had a positive impact on
freedom of expression, had facilitated global debate and had fostered democratic
participation. It was noted that digital communications could be tools for facilitating the
enjoyment of human rights, had contributed to the advancement of human civilization, and
had brought new opportunities for communication, knowledge and business. Privacy was
integral to a free, fair and open society in which views could be freely expressed without
any fear of repression or detention.
36.
Most delegations noted, however, that the same technological platforms had also
enhanced the capacities of State and non-State actors to conduct surveillance, interception
and mass data collection. Some delegations stated that those platforms were not only
vulnerable to mass surveillance, but actually facilitated it. One NGO noted that when
privacy online was threatened, trust in the Internet disappeared, depriving everyone,
including journalists, bloggers and human rights defenders, of the liberty to communicate
securely, anonymously and in confidence, with a chilling effect on freedom of expression.
Another NGO emphasized that for everyone, especially those living under repressive
regimes, the integrity of communications was critical to preserving individual liberty and
security of the person, as well as political rights.
37.
The exponential growth of State power in some countries due to their information
technology infrastructure was noted. Some delegations focused on the fact that much of the
world’s electronic communications passed through a limited number of countries. In turn,
that provided an opportunity for intercepting private communications. Some countries had
developed technologies that allowed access to much of the world’s global Internet traffic,
call records, individuals’ electronic address books and huge volumes of other digital
communications content. Reports of certain Governments monitoring communications at
global events were also referred to. A number of speakers recalled that the sovereignty of
States should always be respected with regard to surveillance, interception and the
collection of personal data.
38.
Other delegations noted that there was a growing trend by some Governments to use
cybertechnologies to control their own citizens, in violation of their right to freedom of
expression and the right of access to information. It was noted that political activists and
members of religious minorities were targeted, detained and sometimes killed. An NGO
10
A/HRC/28/39
noted that the effects of online surveillance were often felt offline and were part of a global
trend to restrict civic space. Lawful protest movements were monitored by the State and
private actors to undermine peaceful actions and related rights, in particular the rights to
freedom of expression and assembly.
39.
Most delegations reaffirmed that rights held by people offline must also be protected
online, as set out in General Assembly resolution 68/167 and Human Rights Council
resolutions 20/8 and 26/13.
40.
Most delegations considered the right to privacy a precondition to being able to
freely express oneself and one of the founding rights of a democratic society. Many
delegations noted that surveillance had an impact on rights other than the right to privacy,
in particular freedom of expression and of opinion and freedom of assembly and
association. It was further noted that privacy and freedom of expression were “interlinked
and mutually dependent” (see A/HRC/23/40, para. 79) and that they enabled and facilitated
the development of other fundamental rights and sustainable development. To illustrate
this, two NGOs noted the concrete harm that large-scale electronic surveillance could have
on the work of journalists and lawyers, undermining freedom of expression and association
and the right to counsel.7 One delegation referred to attempts to silence the media. Another
NGO referred to bloggers facing charges of terrorism, partly because they had encrypted
their communications and engaged in digital security training to ensure their privacy.
41.
One delegation noted that individuals were often not aware of the extent to which
data could be used or shared, even when collected with their consent. Some delegations
referred to the right to data protection and to the Council of Europe Convention for the
Protection of Individuals with regard to Automatic Processing of Personal Data and its
additional Protocol as the first binding international instrument in the data protection field
and an important contribution to the right to privacy. One delegation referred to a so-called
“right to be forgotten”, where the legitimate wish not to be associated with only a particular
aspect of one’s life or past might clash with the right to be informed and might also lead to
a distortion in collective memory.
42.
Many delegations highlighted the measures taken at national level to ensure
protection of the right to privacy in the digital age. UNESCO referred to its work in relation
to privacy and freedom of expression in the digital age, to a publication on internet privacy
and freedom and expression and to a comprehensive study on Internet issues, including a
focus on freedom of expression, privacy, access to knowledge and information and the
ethics of the information society.
B.
Legal protection of the right to privacy
43.
Most delegations emphasized that international law provided a clear framework for
the right to privacy, enshrined in article 12 of the Universal Declaration of Human Rights
and article 17 of the International Covenant on Civil and Political Rights. Many observed,
however, that the implementation of the right to privacy was lacking and that there was a
need for concrete measures to safeguard that right. Some noted that unilateral and
unauthorized access to private data and extensive surveillance needed to be addressed
comprehensively and calls were made for urgent measures to be taken to stop current
surveillance practices and protect individuals from violations of their right to privacy.
7
Human Rights Watch and American Civil Liberties Union, “With liberty to monitor all: how largescale US surveillance is harming journalism, law and American democracy” (July 2014).
11
A/HRC/28/39
44.
Many delegations recalled that any limitation to the right to privacy must be based
on accessible, transparent, clear, comprehensive and non-discriminatory laws and be
limited to what was necessary to safeguard the public interest in a democratic society. Any
state surveillance of individuals must be proportionate and fair, in compliance with
international norms and standards, governed by the rule of law and subject to oversight.
There must be adequate and effective guarantees against abuses. It was noted that defining
the line between arbitrary or unlawful interference in the right to privacy properly would be
one of the challenges of the next few years. It was also stressed that blanket surveillance
could amount to an unjustified infringement. One delegation noted that article 17 of the
Covenant must be the basis for discussion of the limiting principles – legality and
arbitrariness – expressly stated therein.
45.
Several delegations noted that States had legitimate security concerns, including the
threat of terrorism and cybercrime. One delegation noted that the use of the Internet for
criminal and antisocial activities was on the rise. Another delegation noted that security
required intelligence, including with regard to digital communications to counter terrorism,
while another stated that Governments had the responsibility to protect individuals, and that
data surveillance could be an effective and legitimate measure for law enforcement
purposes. There was broad agreement, however, that legitimate security concerns needed to
be addressed within the framework of international human rights law, including the right to
privacy.
46.
In response to a question about data-sharing between government agencies,
Ms. Nyst stated that the same oversight and procedural guarantees should apply to
information collected directly and obtained through the sharing of information.
Ms. Cleveland noted that the Human Rights Committee had expressed concern in that
regard.8 Data sharing between various State agencies within a given country could be
legitimate, provided the purpose of the collection and use of that data was the same for each
of those agencies, so as to ensure compliance with the principles of necessity and
proportionality and therefore no breach of the right to privacy.
47.
Some delegations noted that the Internet transcended traditionally existing
geographical boundaries. Several delegations recalled that, as stated in the report of the
High Commissioner, human rights law applied when a State exercised power outside its
own territory, so that it could not avoid its international human rights obligations and
bypass its own national laws by taking action outside its territory, which it would be
prohibited from taking at home. Several delegations recalled that article 17 of the
International Covenant on Civil and Political Rights must be read in conjunction with
article 2 of the Covenant, which states that the obligations of States apply to all individuals
within their territory and subject to their jurisdiction. Several delegations noted that any
interference with the right to privacy should comply with the principles of legality,
proportionality and necessity, regardless of the nationality or location of individuals whose
communications are under direct surveillance. While many delegations stressed that the
responsibility of the State to protect the right to privacy did not end at its borders, some
delegations expressed concerns about expansive views on the extraterritorial application of
the Covenant and called for an in-depth discussion on the issue of extraterritoriality with
regard to article 17.
48.
Ms. Nyst recalled that most surveillance took place within a State. On the question
of citizenship-based distinctions for the purpose of surveillance, she noted that not only
were those distinctions in violation of the principle of non-discrimination, but it was also a
very outdated and impractical approach, because it was difficult – if not impossible – to
8
12
See Human Rights Committee general comment No. 16 (1988) on the right to privacy, para. 10.
A/HRC/28/39
know the nationality of the sender of a digital communication. On the question of whether
control over telecommunications infrastructure could qualify as State jurisdiction for the
purposes of article 2 of the Covenant, Ms. Cleveland stated that because digital
communication transcended geography, some conception of the extraterritorial application
of human rights was necessary to ensure that human rights could be protected online as well
as offline. She noted that there were various approaches to extraterritoriality, most of which
focused on the concept of jurisdiction outside the territory as involving some form of
effective control over a person or a territory, and that under that approach, it was possible to
view the exercise of control over Internet infrastructure as the exercise of control over a
territory that had effects on the rights of individuals, wherever they might be located.
49.
It was noted that the responsibility to respect the right to privacy lay with a number
of different actors. Some delegations underscored the lack of effective oversight as having
contributed to a lack of accountability for unlawful intrusions on the right to privacy, as
well as the shortcomings of relying on internal safeguards without independent external
monitoring. The need to protect the rights of victims was underlined. One delegation noted
that it was up to each State to develop independent and effective national oversight
mechanisms, to ensure the proper application of the rules that govern electronic
surveillance. One non-governmental organisation stated that there had been cases of mass
surveillance for the purpose of arresting human rights defenders or identifying participants
at peaceful assemblies, where “rubber stamping” by the courts had been instrumental, or
where personal data collected by telecommunication companies through real-name
verification systems had been provided to intelligence and investigative agencies in the
absence of any court examination. The need for effective oversight regimes, with attention
paid to the rights of victims to an effective remedy, was stressed, including the involvement
of an independent and impartial judiciary as a key safeguard.
50.
In response to questions about procedural safeguards and oversight mechanisms to
ensure that the law was effective and applied in practice, Ms. Nyst explained that an
essential precondition to greater and more effective oversight was the end to pervasive
secrecy. Governments needed to be more transparent about the activities they needed to
engage in to provide security and they must not compromise the infrastructure in a way that
was beyond control of the public. She also noted that all individuals, particularly judges and
lawyers, should gain a better understanding of how Internet technology worked, which
would help them to better understand how surveillance worked. She underscored the
importance of ensuring that any surveillance was authorized by an independent and
competent judicial authority. She added that it was essential that individuals be notified of
the fact that they had been subject to surveillance, in order to be in a position to obtain
redress. She also noted the need for more rigorous independent oversight mechanisms, with
technical understanding of how surveillance worked, to enable an examination to be made
of the human rights implications of surveillance by the security services. Finally, she noted
that a special procedures mandate holder with technical expertise could provide guidance
about good practices and about what the human rights framework required to ensure the
protection of the right to privacy. Ms. Botero added that there was no uniformity in the
domestic standards that regulated surveillance and said that a good practice at national level
was to have an expert body that would focus specifically on technology and human rights in
the context of surveillance. She noted that oversight could be institutional, judicial, interorganic and through an ombudsperson, that procedural guarantees should include prior
judicial authorization of surveillance measures and that the legal basis and criteria for the
decision should be public.
51.
Turning to a question on the obligation of States to provide an effective remedy for
violations of the right to privacy, Ms. Cleveland noted that while article 2 of the
International Covenant on Civil and Political Rights provided an obligation for States to
grant an effective remedy, this was a very difficult question, owing to the secrecy of
13
A/HRC/28/39
surveillance practices. Individuals often did not know that they had been subject to
surveillance and therefore might lack standing because they could not show sufficient
injury. She noted that Governments needed to be more transparent about the surveillance
programmes that they were pursuing, to allow for public scrutiny. She also noted that it was
important that individuals received specific notice that they had been subject to surveillance
after the surveillance had ceased. She further noted that standing rules must be generous
enough to allow for meaningful challenge of surveillance programmes. In that respect, she
emphasized that the European Court of Human Rights required a sufficient likelihood – not
a demonstration – of actual injury. She noted that classified judicial proceedings were
problematic, but that some kind of judicial test was nonetheless important. The key
challenge was to make those proceedings as transparent and effective as possible.
52.
On the question of whether there should be dedicated courts to examine surveillance
measures, Ms. Cleveland noted that States needed to find a way to satisfy transparency
requirements and democratic oversight, while at the same time allowing for some level of
confidentiality. A good option was to have special procedures to deal with classified
information, but in regular courts. On that point, Ms. Nyst added that while there was some
value in having specialized judges with technical knowledge, it was essential that courts
allowed parties to be on an equal footing when challenging surveillance. It was crucial,
therefore, that there be no secret courts and no procedure that would allow for secret
interpretations of laws. Any court that did not allow for the utmost transparency and
scrutiny did not allow the power asymmetry between the individual and the State to be
corrected and might in fact serve to legitimize unlawful surveillance measures.
C.
Specific issues regarding business entities
53.
The role of private companies was also raised by several delegations. Some
delegations noted that companies had been put under pressure by Governments, or had been
compelled to hand over data. Others noted that international Internet and
telecommunication technology companies had been developing and executing their own
surveillance capabilities or assisting States in their surveillance of individuals. Mr. Nissim
noted that the technology used by telecommunications companies was very complicated,
but could be accessed by Governments. He referred for example to “deep packet
inspection”, which enabled the content of communications to be examined as it was
transmitted and thereby allowed Internet service providers to monitor and analyse the
Internet communications of users in real time. Mr. Nissim noted that this equipment was
used by telecommunication companies to improve the service that they provided to
customers, but that it could also be used by Governments for surveillance purposes, without
the telecommunication company even being aware of what was happening, as had
happened to Orange in the course of its operations.9
54.
Many delegations asked that businesses and third parties be more transparent and
accountable in their conduct. Some delegations emphasized that a deeper understanding of
how intermediaries and other business entities could meet their responsibilities to respect
human rights, as well as the identification of the regulatory powers which ought to rest with
the public and the private sector, was necessary. Mr. Nissim confirmed that transparency
was a key issue for telecommunication companies that were under severe pressure to be
more transparent. In that regard, he noted that his chief executive of his company had
signed a data protection charter, which committed the company to protecting the security of
9
14
See Human Rights Watch, “They know everything we do: telecom and Internet surveillance in
Ethiopia” (March 2014).
A/HRC/28/39
its customers’ personal data; providing control for customers over their own personal data
and how it was used; being transparent in terms of the handling of data for its customers
and users at all stages; and providing support for all its customers and users to help them
protect their privacy and manage their personal data. He noted however, that his company
had suffered two breaches of privacy since the charter was signed, emphasizing that
protecting data from government interference was always a challenge. He stated again that
it was important to recall that, while a number of telecommunication companies were
committed to being transparent, transparency must come, first and foremost, from the State.
He also recalled that telecommunication companies were bound by local laws and therefore
that the legal framework within which they operated varied from country to country. He
noted an ongoing trend for companies to map the legal framework in all the countries in
which they operated. He noted that in some countries, the legislation allowed for
transparency ex-post facto, either by allowing the companies to provide information on the
requests made to them by Governments, or the data transmitted to them, or by permitting
the State to do so. In other States, neither the company nor the State could be transparent
about the measures the company had had to share. He noted that telecommunications
companies tried with the means at their disposal to protect international human rights law.
For example, he noted that during the Arab Spring, a Government had requested his
company to send text messages to all their base customers. Following an initial refusal from
the company, members of the armed forces were sent to reiterate the demands of the
Government. His company sent the message as requested, together with the signature of
one of the members of the armed forces present. This was a small, yet important, piece of
information, which allowed civil society to understand the situation.
55.
Mr. Nissim highlighted the importance of multi-stakeholder engagement. In order to
illustrate that point, he referred to another situation which his own company had faced,
where the Government in question had backed down on the requests it had made to
telecommunication companies, owing to several factors, one of them being the fact that
civil society had publicized those requests. He noted that he would support the elaboration
of a legal instrument at the international level that would deal with the obligations of
private entities regarding protection of the right to privacy from surveillance measures, and
that model laws and best practices would also greatly assist Governments.
D.
Way forward
56.
Many delegations stressed the need for continued multi-stakeholder engagement.
They said that State engagement was not enough, but that private entities, civil society,
scientific and technical communities, the business sector, academics and human rights
experts needed to take part in the discussions. The need for further engagement of the
Human Rights Council was also highlighted.
57.
Several delegations requested that States review their procedures, practices and
legislation related to communications surveillance, interception and collection of personal
data, in order to adapt them to the needs of the twenty-first century and to ensure that they
were in full conformity with international human rights law. Others called for a transparent
international system with an adequate international framework of Internet governance,
including appropriate safeguards to protect personal data. One delegation called for the
development of a code of conduct on those issues. Several delegations and NGOs called
upon the Council to establish a mandate for a special rapporteur on the right to privacy, as it
was essential to bring focused and sustained attention to those issues.
15
A/HRC/28/39
V. Conclusions
58.
Panellists concluded that technological change might pose new challenges to
existing legislation. In such cases, established legal frameworks, including
international human rights law, would continue to apply, even if the implementation
of the law must be adapted to address the new reality. Regarding the promotion and
protection of the right to privacy, including in the context of domestic and
extraterritorial surveillance, the international human rights framework was clear.
There was a need, however, for better implementation at the national level of the
international norms related to the right to privacy, through adequate national
legislation and stronger safeguards and oversight.
59.
Panellists noted that the development of legal safeguards against violations and
effective oversight involving all stakeholders was essential. Independent, impartial
and competent courts must be more involved and better equipped to deal with those
complex issues. Furthermore, they noted the need for increased transparency,
regarding both surveillance policies and legislation and legal interpretations and court
rulings, where they existed. The laws and regulations and the way they were
interpreted and applied should be made publicly available. The powers of
Governments to access communication-related data should be based on a clear and
transparent legal framework that accommodated advances in technology and was in
accordance with the rule of law and international human rights norms and standards.
60.
Supporting the views of States, regional organizations and NGOs, the panellists
stressed that the protection and promotion of, and respect for, the right to privacy
required the sustained engagement of all stakeholders, including Governments,
industry, civil society and international organizations. They highlighted the unique
ability of the United Nations to convene all stakeholders and to explore the most
effective means of protecting the right to privacy and emphasized that the Human
Rights Council should continue to address the issue, including through the universal
periodic review, with the increased engagement of civil society. OHCHR and the High
Commissioner should also continue to work on the issue and special procedures must
engage within their own mandates as appropriate, Consideration should also be given
to the need to establish a new special procedures mandate on the right to privacy, to
examine existing challenges and how the right should be conceptualized more broadly.
61.
Finally, the panellists highlighted the vital role played by the United Nations
and other international organizations in promoting the international legal standards
that guide the actions of private companies, as they seek to respect the human rights
of their customers and other users. Businesses look to the United Nations for support
in promoting the adoption of those standards in the domestic law of Member States.
By furthering the international framework, international organizations were also
supporting businesses in meeting their responsibility to respect and protect the
privacy of users, as technological advances continued. The question of whether a
model law or a code of conduct could be drafted should be considered.
16
Download